Simple Bug Facebook Messenger allows Hackers to Read all your Chats

A security researcher has discovered a critical vulnerability in Facebook Messenger that could allow an attacker to read all your private conversation, affecting the privacy of around 1 Billion Messenger users.
Ysrael Gurt, the security researcher at BugSec and Cynet, reported a cross-origin bypass-attack against Facebook Messenger which allows an attacker to access your private messages, photos as well as attachments sent on the Facebook chat.

To exploit this vulnerability, all an attacker need is to trick a victim into visiting a malicious website; that’s all.
Once clicked, all private conversations by the victim, whether from a Facebook's mobile app or a web browser, would be accessible to the attacker, because the flaw affected both the web chat as well as the mobile application.

Dubbed "Originull," the vulnerability actually lies in the fact that Facebook chats are managed from a server located at {number}-edge-chat.facebook.com, which is separate from Facebook's actual domain (www.facebook.com).

The root of this issue was misconfigured cross-origin header implementation on Facebook's chat server domain, which allowed an attacker to bypass origin checks and access Facebook messages from an external website.

However, Secret Conversations, Facebook Messenger's end-to-end encrypted chat feature was not affected by this bug, as it can be initiated or launched only using its mobile app.

"This security flaw meant that the messages of 1-billion active monthly Messenger users were vulnerable to attackers," said Stas Volfus, Chief Technology Officer of BugSec.
"This was an extremely serious issue, not only due to the high number of affected users, but also because even if the victim sent their messages using another computer or mobile, they were still completely vulnerable."

The researcher disclosed the severe vulnerability to Facebook through its Bug Bounty program. The Facebook security team acknowledged the issue and patched the vulnerable component.